On Thu, 2008-11-20 at 17:54 +0000, Tony Stevenson wrote: > For some time now I been making some tongue in cheek comments stating that > the ASF should look at using some form of centralised authentication > and/or authorisation. > > We, the infra team, currently manage the access to services such as: > > * Subversion > * Shell access to people.apache.org > * Bugzilla > * Confluence > * JIRA > * cwiki > > This means that folks who have access to any or all of these systems will > have an individual accounts for each service. This seems daft with over > 2000 committers now, with this number rising each week this will become > more difficult to reliably sustain. > > So what I want to do now, is formally propose that we consider deploying the > services of LDAP directory services. This can be used for not only > centralised authentication/authorisation but also for: > > * Storing copies of committers public keys. > * Storing a copy of users' associated ICLA > * Contact information at least for all members, but possibly committers too. > > A few people have helped start gathering requirements, and ideas here -> > > https://svn.eu.apache.org/repos/asf/infrastructure/trunk/projects/ldap-project/ > > That folder is currently available for all committers to look over. But > not write too. > > The current docs are by no means complete, and I am looking for other > folks to help me get them to a state so that we can present the idea and > kick the project off. There are some technical requirements that are > non-negotiable, for instance: > > * Multi site master (For HA) > * Intra site replication (To maintain said HA) > * No direct internet access to LDAP (obvious, but, security) > > There are some other ideas in the documentation in subversion, like karma > attribution amongst others. > > Clearly most of the wish list items will require a custom user schema to > be used to store the relevant information. > > I am happy to run with this, but I am looking for input from folks willing > to either help and/or get involved. The biggest issue that I do not yet see resolved is that of username namespaces. Currently, we have a 'committer' namespace, names are allocated, by root, based upon requests from the new committer, when their Apache account is created. If we go to an LDAP setup that covers non-committers too, then we have to expand our namespace handing to cover names that non-committers might choose. And, we need to work out a way to handle the transition from non-committer to committer, in the (likely) case that that involves a change in username. Otherwise, we could get folks snapping up all the best names in the @apache.org namespace in the hope that they may one day become a committer, rather than having a name selected for them at the point at which their account is created. In comparison to this, setting up LDAP itself seems easy :-) Upayavira